Upgrading cyber attacks to a Grade A risk status

Businesses do themselves a good deal of harm if they think it is only a tech issue and worryingly the Middle East’s response to combat the threat lags the rest of the world.

Cybersecurity — you’re either ready or you’re not. The alarm has been sounding for quite some time. It is no longer a question of if your organisation may be subject to the risks of cyber-threats, but when.

The paradigm has shifted and the harsh realities of cybersecurity are no longer an emerging risk, they have emerged and are a business imperative. Things are only heading in one direction and, left undiagnosed and untreated, the prognosis is alarming.

The assets and wealth of financial institutions in the GCC have been identified as prime targets for cyber-criminals. While this is a global issue, the Middle East’s response to combat the threat lags the rest of the world.

As asset managers in the GCC seek to grow assets under management, they are failing to attract assets from sophisticated and discerning institutional investors who have already woken to the seriousness of the cyber-threat. GCC institutional investors and investment managers need to protect themselves and their investors from the fallout of financial losses, confidential data compromise, unlimited reputational damage and disruption associated with successful cyber-attacks.

The stats are not comforting. In a recent Marsh & McLennan Companies and Firefly survey of European institutions, 23 per cent of respondents acknowledged they had been a victim of a successful cyber-attack in the last 12 months. Nearly two-thirds said cyber-risk is among their organisations’ top five risk management priorities.

Only 45 per cent said they formally estimate the financial impact of a potential cyber event as part of risk management.

Last year was the most damaging for cybersecurity; Wanna Cry ransomware and NotPetya’s “wiper” malware permanently changed the global cyber-landscape. NotPetya is said to be responsible for $1 billion (Dh3.67 billion) in economic losses. If not sufficiently alarming, August 2017 saw the loss of 150 million consumer credit customers’ personal records and wiped $5 billion off market cap.

Whichever way you look at it, the prognosis is worrying. Cyber-incidents once considered extraordinary have rapidly become commonplace.

The cost of cybercrime to businesses over the next five years is expected to be $8 trillion. In a world with 7.6 billion people, there were an estimated 8.4 billion internet-enabled devices in 2017. The figure is projected to grow to 20.4 billion by 2020.

The world is experiencing the rise of cyber-dependency due to increasing digital interconnection of people, things and organisations. Greater cyber-dependency and the exponential rise in cybercrime are inextricably linked.

In response, the World Economic Forum Global Risks Report 2018 upgraded the risk of cyberattacks and data fraud or theft to top five risks by likelihood. In 2017, cyber was not even a standalone risk in the “Global Risk” landscape rankings. Ernst & Young suggest cyber-risk has evolved as a standalone critical risk category to be viewed not only as a technology issue, but as a pervasive business and operational risk with the potential for significant impact on assets, revenues, reputation, confidentiality and profitability.

In an effort to bring greater investor and consumer protections, whilst increasing the cyber-standard expected of organisations, a wave of regulation is emerging. The General Data Protection Regulation (GDPR) imposes far-reaching obligations surrounding cyber-breach disclosure.

Commentators suggest GDPR will “change the world as we know it” and, while GDPR is an EU legislation, other global financial centres are rapidly adopting similar, cyber-laws. GDPR breaches and non-compliance are expected to result in billions of dollars of fines annually.

Governments, regulators, supervisory boards, media and consumers will scrutinise executives’ responses to newly disclosed cyber-incidents that previously remained below the surface. Financial institutions in the GCC should not wait for regional regulators to impose similar requirements. Consider these five steps to manage the cyber-threat:

* Embed C-suite accountability

The stakes have changed for the C-suite. Cybersecurity has firmly taken its place on the corporate risk register and cyber-accountability rests with the board of directors. While the concepts of cybersecurity may be foreign for many executives, protecting your organisation against risk is not.

Experienced executives understand their limitations and leverage resources to fill the gaps. Setting the tone from the top, corporate boards should implement formal data and cybersecurity policies with appropriate governance and awareness processes.

* Understand the threat

Undertake an expert assessment to understand the scope of the threat and your organisation’s vulnerabilities. Understand the volume and criticality of unpatched software vulnerabilities.

* Implement the change

Strengthen your IT infrastructure by comprehensively tackling the vulnerabilities identified in the threat assessment. Further mitigate the risks of penetration by reducing your organisation’s attack surface.

* Educate your people

The role of human error in successful cyber-attacks should not be underestimated. Human behaviour lies at the core of security strategy. Creative and ongoing employee cyber-awareness should be implemented.

Monitor your infrastructure

Establish a framework for continuous IT network monitoring, including responsibility for identifying and applying critical software patches, and escalation to the C-Suite. Re-assess the IT environment and emerging threats regularly to ensure ongoing appropriateness versus the changing landscape.

Failure to take the reality of the cyber-threat seriously would be reckless. By embedding C-suite accountability, understanding the threat, implementing the change, educating your people and continually monitoring your IT infrastructure, you will be taking measures towards mitigating the countless cybersecurity risks we all now face.

— Nigel Morriss is Mercer Investments’ Head of Operational Risk for the Middle East, India, Turkey and Africa